Adopting IT-OT Convergence

IT / OT Convergence is an industry term that became more prominent with the Industry 4.0 movement. With the introduction of Industrial Internet of Things (IIoT), Big Data, Artificial Intelligence (AI), Cloud Computing, plus other technology disruptors, enterprise goals and objectives became more relevant across IT and OT departments. Convergence may also be applied through People, Process, and Technology (PPT). When considering convergence, PPT must be well balanced to implement and operate successfully. Placing too much weight on one element of the PPT framework brings high risk for rework and missed targets.

For context, Information Technology (IT) can be defined as the centralized corporate services and support operations and / or revenue generators. Operational Technology (OT) can be defined as the operational systems required to generate the revenues or offer critical services to the country.

The convergence of IT and OT is viewed as a benefit to support leadership goals and objectives through cost savings, leverage existing skilled resources, simplifying environments, centralizing of critical services, and increasing competitiveness in the marketplace. Whether it’s the IT environment that requires OT information for business decisions or OT requires cyber experience from IT to address skill gaps, there is business benefit for convergence.

Convergence makes business sense so what’s the hold up? Well many challenges arise when converging IT and OT environments. Some examples may include culture clashes, expectations by leadership, skilled workforce in both environments, and competing priorities. Although each have a unique approach, I will focus on competing priorities.

Both IT and OT departments have different priorities. Using the CIA triad, IT prioritizes Confidentiality first, Integrity second, and Availability third. If a corporate email service goes down for a couple hours or is restarted for maintenance, usually it does not cause a significant disruption to the department and is tolerated. On the other hand, OT prioritizes the reverse where it is Availability first, Integrity second, and Confidentiality third. Restarting a protective relay or remote terminal unit may have severe consequences due to unplanned outages, lost visibility with system operators, or breached service level agreements with external partners and stakeholders.

When these two departments start to converge, usually there is a lack of understanding the business and operations. Operating OT like IT is risky and same for the reverse. Releasing confidential corporate information holds severe consequences for IT stakeholders but unavailability of production operations could cause millions in revenue loss within an hour. Trying to find a happy medium between the two domains usually results in competing priorities. Without understanding the other department’s business, issues arise to implement IT / OT Convergence. This is where culture clashes may occur between operations and corporate departments. Each department may expect the other to operate they way they understand it.

Culture clashes may occur at the department level as well as the team level. Sub-cultures also hold a dramatic impact to the success of cultural changes. Retirements, job protection, safety, and unions are a few examples where sub-cultures may interrupt convergence progress.

Every organization is unique and implementing a standard IT / OT Convergence across every organization is the same as forcing everyone to wear the same shoes. Each must be assessed to understand the barriers and increase the chances of successful convergence using a tailored approach to match the uniqueness. This concept of IT and OT using different operating models and priorities is critical for leadership to understand to help set their expectations and support convergence activities.

It shouldn’t come as a surprise that 100% convergence is very unlikely. Convergence activities may discover candidate areas to converge that may not be ideal. For instance, an OT process may rely heavily on an outsourced OT vendor skillset, or an OT process holds direct impact to a physical asset like a motor or pump. If site personnel are working physically on a machine that is controlled by an OT process, the consequences of an unplanned change can be fatal. These types of critical processes may be addressed with change control processes and appropriate communication plans, but it depends on the organizational dynamics. In the event convergence does not provide efficiencies or effectiveness, there must be tolerance to consider those areas critical to the department and left as such.

Incorporating a centralized risk management framework across both environments and assessing the risks with the same risk processes will help raise awareness within the cross-functional teams. Operational risks may also arise from the awareness as new cyber events or changes occur. Centralized services like risk management can help break the silos and facilitate cultural change. Monitoring cyber security risks as a cross-functional team demonstrates a significant example where IT provides cyber security expertise and OT provides the operational expertise for impact, which usually translates into enterprise goals and objectives.

In addition to unique requirements and centralized risk processes, an analysis of the capabilities against business objectives also provides value for convergence. Where is IT strong that OT is weak and vice versa? Can OT capitalize on any opportunities IT is targeting? What threats to the business objectives can the other department help mitigate? What critical systems and processes require dedicated resources? What operations are 24/7 and possess the right skills and responsibilities? By understanding the strengths and weaknesses of each department, gaps and capabilities are understood and actionable. Each organization holds different budgets, tolerances, sensitivities, personnel, culture, etc. and must be considered for IT / OT Convergence.

IT / OT Convergence challenges will constantly be active and ongoing. When it comes to cyber security and risk, it may be beneficial for an organization to completely separate the two departments and avoid convergence. Other firms will target the benefits to reduce costs and increase efficiencies to gain a competitive advantage. Can IT learn the OT environment to support cyber security services? Yes, but IT requires critical thinking and creativity to service both IT and OT. An IT process may hold severe physical consequences if applied to the OT processes. OT would require cultural change to trust IT or implement monitoring controls to help ease trust issues.

Unfortunately, IT / OT Convergence is not implemented with the flip of a switch. As each organization is unique, so should significant changes like convergence projects be unique. Set the expectations of leadership and support their goals with a cross-functional risk management team. Understand the capabilities and opportunities within each department and analyze against PPT. Additional factors include, but not limited to, the core industry, economic pressures, competition, and industry cyber threats.

IT / OT Convergence requires performance monitoring after its implemented in the target areas. Expecting convergence to continue with perpetual motion and automation introduces additional risk to the organization’s investment and established objectives. Convergence requires sustainable measures to provide value to the organization’s goals.